From a51715e0ba760ce4367a779aaa4068428ac34d66 Mon Sep 17 00:00:00 2001 From: Howard Enos Date: Thu, 4 Jun 2026 16:03:23 -0700 Subject: [PATCH] sync: auto-sync from HOWARD-HOME at 2026-06-04 16:03:16 Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-06-04 16:03:16 --- ...6-04-howard-caregiver-laptop-enrollment.md | 76 +++++++++++++++++++ wiki/clients/cascades-tucson.md | 3 +- 2 files changed, 78 insertions(+), 1 deletion(-) create mode 100644 clients/cascades-tucson/session-logs/2026-06-04-howard-caregiver-laptop-enrollment.md diff --git a/clients/cascades-tucson/session-logs/2026-06-04-howard-caregiver-laptop-enrollment.md b/clients/cascades-tucson/session-logs/2026-06-04-howard-caregiver-laptop-enrollment.md new file mode 100644 index 0000000..c61475f --- /dev/null +++ b/clients/cascades-tucson/session-logs/2026-06-04-howard-caregiver-laptop-enrollment.md @@ -0,0 +1,76 @@ +# Cascades — Caregiver laptop Intune enrollment prep (devices@ licensed) + +**Date:** 2026-06-04 +**Client:** Cascades of Tucson (Syncro 20149445, Tenant `207fa277-e9d8-4eb7-ada1-1064d2221498`) + +## User +- **User:** Howard Enos (howard) +- **Machine:** Howard-Home +- **Role:** tech + +## Session Summary + +Resumed the caregiver device allow-list rollout (continued from `2026-06-03-session.md`). The plan: Entra-join the 4 caregiver/medtech laptops so they exist as Entra device objects, then tag them onto the report-only allow-list CA policy created 2026-06-03. + +Prepared the enrollment account. The dedicated provisioning account `devices@cascadestucson.com` (Cloud Device Administrator) was unlicensed, which would let a device Entra-join but skip Intune auto-enrollment. Set its `usageLocation` to US and assigned a Microsoft 365 Business Premium (SPB) license via the User Manager app so auto-MDM-enroll fires on join. The license is needed only transiently at enrollment time and can be reclaimed after the batch. + +Provided Howard the start-to-finish enrollment runbook: confirm Intune MDM user scope = All (portal), Entra-join each laptop with `devices@`, verify it lands in Intune, then report device names back for tagging (`extensionAttribute1=CSCCaregiverDevice`). Recommended doing one laptop end-to-end first to validate the flow before the rest. NURSESTATION-PC remains the separate Hybrid Entra Join track. + +No laptops were enrolled this session — enrollment is the next hands-on step for Howard. No repo changes beyond this log; the license assignment was a live Entra change. + +## Key Decisions + +- Assigned Business Premium to `devices@` rather than to a user account, keeping a dedicated provisioning identity for device joins; the seat is reclaimable post-enrollment. +- Set `usageLocation=US` on `devices@` (required before any license can be assigned). + +## Problems Encountered + +- First license-assignment attempt failed (HTTP 404, "Resource '197609' does not exist"). Cause: `UID` is a read-only special variable in bash, so `UID=` silently failed and `$UID` resolved to the shell's numeric user id. Resolved by renaming the variable (`DEVID`). +- Immediate license read-back showed `Business Premium=false` right after a 200 assignLicense — Entra eventual consistency. Confirmed assigned on re-read after a short delay. + +## Configuration Changes + +- Live Entra change (no repo files): `devices@cascadestucson.com` — set `usageLocation=US`; assigned license SPB (`cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46`) via Graph `POST /users/{id}/assignLicense` (User Manager tier). Verified present. +- Session log created (this file). + +## Credentials & Secrets + +- `devices@cascadestucson.com` / `Gptf*77ttb!` — Cloud Device Administrator, user ID `aaca80c6-861b-4294-8068-1033c68d7667`. Now licensed Business Premium + usageLocation US. Vault: `clients/cascades-tucson/devices-account.sops.yaml`. Use this account to Entra-join the laptops. Reclaim the Business Premium seat after the enrollment batch. + +## Infrastructure & Servers + +- Tenant `207fa277-e9d8-4eb7-ada1-1064d2221498`. +- SKU: Business Premium (SPB) `cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46`. +- Report-only allow-list policy (from 2026-06-03): `CSC - Caregivers: allow-listed devices only (REPORT-ONLY)` id `1b7fd025-1aad-47c8-9274-c32c3e0b163c`; device filter excludes `(displayName -startsWith "CSC-") -or (extensionAttribute1 -eq "CSCCaregiverDevice")`. +- Target laptops (Entra join): Laptop2, LAPTOP-8P7HDSEI (Win10 — upgrade), LAPTOP-DRQ5L558, LAPTOP-E0STJJE8. NURSESTATION-PC = Hybrid join track (stale 2021 Entra record to clean). + +## Commands & Outputs + +```bash +# Set usageLocation then assign Business Premium (note: do NOT use $UID as a var name in bash) +DEVID=aaca80c6-861b-4294-8068-1033c68d7667 +SPB=cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46 +TOK=$(bash scripts/get-token.sh $TEN user-manager) +curl -s -X PATCH ... -d '{"usageLocation":"US"}' .../users/$DEVID # HTTP 204 +curl -s -X POST ... -d '{"addLicenses":[{"skuId":"'$SPB'"}],"removeLicenses":[]}' \ + .../users/$DEVID/assignLicense # HTTP 200 +# Verify: assignedLicenses includes cbdc14ab-... (after ~6s, eventual consistency) +``` + +## Pending / Incomplete Tasks + +- [ ] Confirm Intune MDM user scope = All (Entra -> Devices -> Mobility (MDM and MAM) -> Microsoft Intune) — not verifiable via API. +- [ ] Entra-join the 4 laptops with `devices@` (do one first, validate end-to-end). +- [ ] Report device names -> tag each `extensionAttribute1=CSCCaregiverDevice`. +- [ ] Confirm which printer(s) each laptop needs -> Intune printer push (FrontDesk Epson ET-5800 192.168.2.147; CopyRoom Canon C478iF 192.168.2.230; MCReception Epson ET-5800). +- [ ] Confirm whether any laptop needs on-prem file shares (would push that one to hybrid). +- [ ] NURSESTATION-PC Hybrid Entra Join (Entra Connect device options on CS-SERVER); clean stale 2021 record. +- [ ] Review report-only sign-in results, then cutover: enable allow-list policy + disable `CSC - Block caregivers on non-compliant device`. +- [ ] Reclaim Business Premium seat from `devices@` after enrollment batch. +- [ ] LAPTOP-8P7HDSEI: upgrade Win10 -> Win11 before PHI use. + +## Reference Information + +- Prior context: `clients/cascades-tucson/session-logs/2026-06-03-session.md` (admin consent + allow-list policy + join-model decisions). +- Allow-list policy id `1b7fd025-1aad-47c8-9274-c32c3e0b163c`; ALIS admin-consent grant id `reTK4etbykSC1ENMm9g1rTplOyzgVClCofKDVRrn-ds`. +- Tickets: #110680053 (domain migration), #109412123 (Entra setup). diff --git a/wiki/clients/cascades-tucson.md b/wiki/clients/cascades-tucson.md index f748022..3a19e12 100644 --- a/wiki/clients/cascades-tucson.md +++ b/wiki/clients/cascades-tucson.md @@ -34,6 +34,7 @@ sources: - clients/cascades-tucson/session-logs/2026-06-02-howard-efax-scanner-ticket.md - clients/cascades-tucson/session-logs/2026-06-03-session.md - clients/cascades-tucson/session-logs/2026-06-04-howard-email-delivery-investigation.md + - clients/cascades-tucson/session-logs/2026-06-04-howard-caregiver-laptop-enrollment.md - clients/cascades-tucson/docs/overview.md - clients/cascades-tucson/docs/network/topology.md - clients/cascades-tucson/docs/network/vlans.md @@ -204,7 +205,7 @@ Senior living / assisted living facility in Tucson, AZ. Single 6-floor building | LAPTOP-E0STJJE8 | Win 11 | `4ac00700-9a9b-4e7f-a7aa-c51857b77661` | - **Join model (decided 2026-06-03):** The 4 laptops are **Entra-joined (cloud join)**, NOT domain-joined — a domain-only PC has no Entra device object, so the CA device filter cannot allow-list it. The laptops are shared ALIS/Teams/Outlook access points and do not need the on-prem GPO stack. NURSESTATION-PC stays domain-joined and gets **Hybrid Entra Join** (needs on-prem printers + ALDocs share); requires a one-time device-options config in Entra Connect on CS-SERVER, and its stale 2021 Entra record (Workplace, last seen 2021-07-03) should be cleaned. Mixed model is supported. - - **Enrollment account:** `devices@cascadestucson.com` (Cloud Device Administrator, `aaca80c6-861b-4294-8068-1033c68d7667`). Needs a **Business Premium** license **only at enrollment time** so auto-MDM-enroll fires; the device stays enrolled and allow-listed afterward regardless of the enroller's license, so the SPB seat can be reclaimed after the batch (30 SPB seats free as of 2026-06-03). One license covers sequential enrollments. Mark each laptop a shared device (remove primary user) to drop per-user license dependency. Confirm MDM user scope = All (Entra -> Devices -> Mobility) before joining — not verifiable via API. + - **Enrollment account:** `devices@cascadestucson.com` (Cloud Device Administrator, `aaca80c6-861b-4294-8068-1033c68d7667`). **Licensed Business Premium + usageLocation=US on 2026-06-04** and ready to join/auto-enroll. The license is needed **only at enrollment time** so auto-MDM-enroll fires; the device stays enrolled and allow-listed afterward regardless of the enroller's license, so the SPB seat can be reclaimed after the batch (30 SPB seats free as of 2026-06-03). One license covers sequential enrollments. Mark each laptop a shared device (remove primary user) to drop per-user license dependency. Confirm MDM user scope = All (Entra -> Devices -> Mobility) before joining — not verifiable via API. - **Printing:** does NOT require domain join — Entra-joined laptops print via direct IP network printers or an Intune-pushed `Add-Printer` config. Printers: FrontDesk Epson ET-5800 `192.168.2.147`, CopyRoom Canon C478iF `192.168.2.230`, MCReception Epson ET-5800. - **Cutover prerequisites (pending Howard OK):** Entra-join + Intune-enroll the 4 laptops; tag each `extensionAttribute1=CSCCaregiverDevice`; confirm NURSESTATION-PC Hybrid Entra Join; review report-only sign-in results; then enable allow-list policy AND disable `CSC - Block caregivers on non-compliant device`. - **GDAP exclusion:** CA policy 3 must exclude "Service provider users" (GDAP foreign principals) + `SG-External-Signin-Allowed` + `SG-Break-Glass`, otherwise ACG partner admins lose access at CA cutover.